Bug#763780: apt-get: Insecure temporary changelog handling
On Thu, Oct 02, 2014 at 06:29:45PM +0200, Guillem Jover wrote:
> Package: apt
> Version: 0.8.7
> Severity: serious
> Tags: security patch
Thanks for your bugreport and your patch!
> I've found an instance of insecure temporary filenames handling. The
> problem is that the code correctly creates a temporary directory, but
> then uses that name as just a prefix for the created changelog
> filename, thus creating it alongside the tamporary directory (instead
> of inside of it), and making it very much predictable. This is worsened
> due to the time it takes apt-get to download the changelog from the net,
> which gives a very huge window to use that pathname.
>
> Attached a patch fixing this. This affects all versions starting from
> the one in squeeze.
>
> I'm not sure if this deserves a CVE or perhaps a lower severity?
[..]
I uploaded a fix for wheezy now, squeeze is not affected, this feature
got added in 0.8.11 in debian so we should be safe here.
Cheers,
Michael
Reply to: